Harlan, Here is an example of Locard's exchange principle at work in the digital realm: An intruder gains unauthorized access to a Unix system from his Windows PC using a stolen account and uploads various tools to the Unix machine via FTP. The tools are now located on both the Windows and Unix systems. The MD5 value of these tools will be the same and some of the date-time stamps and other characteristics of the files on both systems may match. The Windows application used to connect to the Unix system (e.g., Telnet, SecureCRT, SSH) may have a record of the target IP address/hostname. Directory listings from the Unix system may be found on the intruder's hard drive if they were swapped to disk while being displayed on screen by Telnet, SecureCRT, SSH, etc. The stolen password is probably stored somewhere on the intruder's system, possibly in a sniffer log or in a list of stolen accounts from various systems (so that he does not have to remember them). The FTP client used (e.g. WS_FTP) may create a log of the transfer of tools to the server. The Unix system may have login records and FTP xferlogs showing the connection and file transfers. Additionally, if the intruder tarred anything up on the Unix system and downloaded it to his PC, the tar ball may contain the stolen username and associated group. Between the two systems there may be related IDS alerts, NetFlow logs, and other logs showing the intrusion and file transfer. This is only a quick summary - there are likely to be many other exchanges of digital evidence cause by an intruder's activities in a given case. Regarding evidence dynamics (a topic near and dear to me), I do not see this as a developing trend. Evidence dynamics has always been and always will be a challenge that we must deal with. Extending the arson investigation/intrusion investigation analogy that I alluded to in my previous message: Arson: 1) an offender burns a car to destroy evidence of a crime he just committed 2) firemen hose down the car, washing away additional evidence 3) the small amount of evidence that remains in the car is collected improperly, making it difficult to analyze 4) a forensic examiner accidentally alters the evidence while processing it, compromising its integrity even further Intrusion: 1) a hacker wipes portions of a disk on a compromised host to destroy evidence of a crime he just committed 2) system administrators responding to the incident cause valuable deleted data to be overwritten while protecting the system from further attacks 3) the small amount of evidence that remains in the car is collected improperly, making it difficult to analyze 4) a forensic examiner accidentally alters the evidence while processing it, compromising its integrity even further Eoghan On Mon, 21 Oct 2002, H C wrote: > Eoghan, > > > In addition to repeatable results and Locard's > exchange > > principle (I can verify that this applies in the > digital > > realm) > > I'm familiar w/ the concept of Locard's > principle...can you elaborate on your response about > verifying it in the digital realm? > > What role does evidence dynamics play in your view of > future trends of forensics, if any? > > Carv > > > > > > __________________________________________________ > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site > http://webhosting.yahoo.com/ > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 13:56:59 PDT